{"id":118362,"date":"2020-09-03T06:00:25","date_gmt":"2020-09-03T13:00:25","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=118362"},"modified":"2020-09-03T08:32:26","modified_gmt":"2020-09-03T15:32:26","slug":"secops-executive-culture","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/09\/secops-executive-culture\/","title":{"rendered":"How Executive Culture Can Compromise Your Security"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Dear Executive,\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Last night, your company was breached, and it was potentially you who allowed that to happen.\u00a0\u00a0<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">\u201cHow is this possible?\u201d<\/span><\/i><span style=\"font-weight: 400;\"> you say. \u201c<\/span><i><span style=\"font-weight: 400;\">I spent the money. I hired the people. I bought [insert flavor-of-the-year security solution]. I attended the conferences and went to the classes.<\/span><\/i> <i><span style=\"font-weight: 400;\">We were locked down!\u201d<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">Your manifold millions of dollars of security solutions and personnel were subverted in a savvy feat of technomancy by threat actors and, instead of some new zero day, they exploited a CVE from 2019. The reason they could had everything to do with your corporate culture.<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">\u201cBut we have great corporate culture! Our people are happy and enthusiastic!\u201d\u00a0<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">While that is a valuable advantage for a company to have, through action \u2013 or inaction \u2013 leaders frequently also create a culture of intimidation and reluctance to innovate and speak out in their organizations. This happens by fostering a focus on delivering the <\/span><b>production objectives<\/b><span style=\"font-weight: 400;\"> of leadership at <\/span><b>all costs<\/b><span style=\"font-weight: 400;\">. When security hygiene is not held in the same reverence as production, it creates an atmosphere where maintaining production levels dominates and the drive to stay secure surrenders to fear.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">TL;DR: People stop innovating when they fear retaliation.\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Does This Sound Familiar?<\/span><\/h2>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Production must <\/span><i><span style=\"font-weight: 400;\">not<\/span><\/i><span style=\"font-weight: 400;\"> be impacted.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Rigid review board with change controls so onerous that changes, including ones to address security, move in <\/span><i><span style=\"font-weight: 400;\">weeks <\/span><\/i><span style=\"font-weight: 400;\">and<\/span><i><span style=\"font-weight: 400;\"> months<\/span><\/i><span style=\"font-weight: 400;\">, not days and weeks,<\/span><i><span style=\"font-weight: 400;\"> even in DEV<\/span><\/i><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Patches can take <\/span><i><span style=\"font-weight: 400;\">months<\/span><\/i><span style=\"font-weight: 400;\"> or <\/span><i><span style=\"font-weight: 400;\">years<\/span><\/i><span style=\"font-weight: 400;\"> to go into production.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The negative lessons of past security efforts are what are remembered, to the exclusion of\u00a0 positive changes.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Negative comments in casual conversation by leadership continue long after the event.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Does the organization create a culture of security as a core philosophy?<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Would email delays caused by new phishing countermeasures be reprimanded or understood (given phishing is the threat mechanism most exploited by cyber criminals)?<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Should <\/span><i><span style=\"font-weight: 400;\">temporarily<\/span><\/i><span style=\"font-weight: 400;\"> slowed traffic from newly fielded East-West firewalls be seen as a firing offense \u2013 or praised for demonstrating the initiative to inspect traffic in new places?<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Are firewalls, CASB or endpoint protection settings in \u201cmonitor\/alert\u201d mode, instead of \u201cblock,\u201d for fear of false positives?\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Are fears of generating trouble tickets that increase <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/01\/cortex-soc-metrics\/\"><span style=\"font-weight: 400;\">\u201cmean time to resolution\u201d metrics<\/span><\/a><span style=\"font-weight: 400;\"> keeping personnel from using the very solutions purchased to improve security simply because it would \u201cmake their numbers look bad?\u201d<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">\u201cFear Is the Mind Killer.\u201d<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Even casual negative comments dropped in conversation from leadership can have an effect at the working level that will make any enterprise lumber like Frankenstein instead of dancing like Fred Astaire.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A culture of fear and retaliation flows from the top. Conversely, it must stop at the top, and not just implicitly. Understanding and wisdom must be driven from the top in outspoken terms and backed up with actions.\u00a0<\/span><\/p>\n<p><b>The key is to rationally accept risk and explicitly state that people won\u2019t lose their jobs due to an incident \u2013\u00a0 if they <\/b><b><i>responsibly innovate.<\/i><\/b><b> You have to back your words up with top cover.\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Being a leader means taking the heat when security innovation might cause disruptions \u2013 <\/span><b><i>and having the wisdom to keep doing it.<\/i><\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Creating a Better Executive Culture<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">So what are some simple steps executives can take to build a smart security culture?<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Manage <\/span><i><span style=\"font-weight: 400;\">sideways. <\/span><\/i><span style=\"font-weight: 400;\">Partners in the executive team need to understand the explosively dynamic nature of security and the dedicated threat actors who are trying to penetrate the enterprise. Nothing will stop them forever. <\/span><i><span style=\"font-weight: 400;\">Nothing.<\/span><\/i><span style=\"font-weight: 400;\"> Be prepared for trouble when it happens.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Manage <\/span><i><span style=\"font-weight: 400;\">down.<\/span><\/i><span style=\"font-weight: 400;\"> People need to know the executives have their backs when hard calls to support security are needed. Period. Full stop.<\/span><\/li>\n<li style=\"font-weight: 400;\"><i><span style=\"font-weight: 400;\">Lead from the front and then get out of the way.<\/span><\/i><span style=\"font-weight: 400;\"> People have to know they can take responsible risks at work without threatening their livelihood. Take the heat for allowing innovation before even knowing what went wrong. That is the executive\u2019s role.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><i><span style=\"font-weight: 400;\">Watch what is said, how it was said and what is done \u2013 <\/span><\/i><b><i>especially<\/i><\/b><i><span style=\"font-weight: 400;\"> in private.<\/span><\/i><span style=\"font-weight: 400;\"> Middle tier management pays the <\/span><i><span style=\"font-weight: 400;\">most<\/span><\/i><span style=\"font-weight: 400;\"> attention to their executives <\/span><i><span style=\"font-weight: 400;\">when only they can hear what is said.<\/span><\/i><span style=\"font-weight: 400;\"> If something is done to suggest that executives won\u2019t truly support security measures and innovation, knowledge of this bleeds down from leadership and the organization will fall back into fear culture.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><i><span style=\"font-weight: 400;\">Practice embracing \u201cdetermined fallibility.\u201d<\/span><\/i><span style=\"font-weight: 400;\"> Understand that nobody is perfect and engineers are no less human. Learn well, forgive fully, and move on.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/01\/cortex-secops-strategies\/\"><i><span style=\"font-weight: 400;\">Automate everything possible<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">.<\/span><\/i><span style=\"font-weight: 400;\"> Engineers are never more dangerous than when they are bored and they can be the hardest working lazy people in the world. <\/span><i><span style=\"font-weight: 400;\">\u201cWhat does that mean?\u201d<\/span><\/i><span style=\"font-weight: 400;\"> you ask. Many engineers will work all day to automate a step that takes 20 minutes. Let them. Once the mind-numbing work is handled, they will get to the side projects that truly increase your organization\u2019s security maturity level.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><i><span style=\"font-weight: 400;\">Work as hard as they do.<\/span><\/i><span style=\"font-weight: 400;\"> They have to see it. Regularly. Get in amongst staff and be interested and accessible, but know when to get out of the way. This behavior will reward your entire organization in the form of dedication from your entire staff. Sequestering in an office reinforces a culture of seclusion. When executives enter workspaces, it invites feedback.\u00a0<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Executives must broadcast their stance that security is an evolving field and requires agility and tolerance of change. Agile organizations are ready to embrace the concept espoused by the legendary Bruce Lee: \"Empty your mind, be formless, shapeless<\/span><span style=\"font-weight: 400;\">, <\/span><b>like water<\/b><span style=\"font-weight: 400;\">. If you put water into a cup, it becomes the cup.\"<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Security\u2019s \u201ccup\u201d will change before the paint is dry on the latest whizbang security appliance and the \u201cwater\u201d will need to flow into it. Threats on the internet are inherently asymmetric,* and we will never know when it is coming or what form it will take.\u00a0<\/span><\/p>\n<p><b>With<\/b><span style=\"font-weight: 400;\"> the grace to tolerate calculated risk internally, Executives become the inspiration for their organization to grow.\u00a0<\/span><\/p>\n<p><b>Without<\/b><span style=\"font-weight: 400;\"> it, security becomes secondary and the organization risks becoming the news article outsiders cite in their next security expenditure justifications.\u00a0<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">For more on how to improve security operations, read our series, \u201c<\/span><\/i><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/tag\/elements-of-security-operations\/\"><i><span style=\"font-weight: 400;\">Elements of Security Operations.<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">\u201d<\/span><\/i><\/p>\n<p><span style=\"font-size: 8pt;\"><span style=\"font-weight: 400;\">*<\/span><b>Asymmetric warfare<\/b> <i><span style=\"font-weight: 400;\">(military concept) is conflict between belligerents whose relative capacity to make war differs significantly and implies irregular attack intervals and wildly changing vectors to subvert static defenses.<\/span><\/i><\/span><\/p>\n<p><em><span style=\"font-weight: 400;\">Bruce Hembree is a Cortex Field CTO for Palo Alto Networks. <\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400;\">Andre Ludwig is Chief Product Officer for Bricata. <\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400;\">Sasha Hellberg is Senior Manager of Threat Intelligence at Bell Canada.<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Even if you invest in security, hire great people and learn about the industry, your executive culture could be undermining your organization\u2019s security.<\/p>\n","protected":false},"author":663,"featured_media":118032,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6765,6770],"tags":[961,3000,673],"coauthors":[7283,7284,7285],"class_list":["post-118362","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-enterprise","category-secure-the-future","tag-breach","tag-leadership","tag-security-operations-center","sec_ops_category-must-read-articles"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/08\/Skyscraper-blog.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/118362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=118362"}],"version-history":[{"count":3,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/118362\/revisions"}],"predecessor-version":[{"id":118382,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/118362\/revisions\/118382"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/118032"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=118362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=118362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=118362"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=118362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}